...
- All network connections make use of HTTP
- Connections from a user browser to the JOC Cockpit
- Connections from the PowerShell CLI to the JOC Cockpit REST Web Service
- Connections from the JOC Cockpit REST Web Service to the JobScheduler Master
- Connections from the JobScheduler Master to Agents
- Port Usage
- The JOC Cockpit can be accessed at port 4446
- The JOC Cockpit REST Web Service can be accessed at port 4446
- The JobScheduler Master uses the following ports:
- Access to the JobScheduler Master Web Service at port 40444
- Access to the JobScheduler Master via TCP at port 4444
- Access to the JobScheduler Master via UDP at port 4444
- The TCP port 4444 and HTTP port 40444 enable access to the "classic" JOC GUI that ships without authentication and authorization.
- The JobScheduler Agent listens to port 4445
- Network Interface Usage
- By default JobScheduler components will listen to the above mentioned ports on all available network interfaces.
- Firewall Settings
- Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.
...
- Configure network connections to use HTTPS
- The use of HTTPS includes users providing valid certificates for the hosts that JobScheduler components are operated for. The use of self-signed certificates is a no-go.
- As HTTPS is restricted to secure the connection, in addition authentication is added to the configuration, e.g. when using HTTPS then a JobScheduler Master is configured to authenticate with an Agent in order to guarantee that the Master is what it claims to be and is entitled to access an Agent.
- For detailed instructions on the configuration see:
- JOC Cockpit - HTTPS Authentication explains HTTPS configuration for the JOC Cockpit and connection to the JobScheduler Master.
- JobScheduler Universal Agent - HTTPS Agent and Master Authentication
- Drop the JobScheduler Master TCP / UDP / TCP port:
- This port is not required for standard operation with releases starting from 1.11.
- This port is required for previous releases that include the "classic" JOC GUI running in the JobScheduler Master.
- Access to this port can be restricted with the
<allowed_host>setting in./config/scheduler.xml
- Access to this port can be restricted with the
- This port is required for all releases if a JobScheduler Supervisor is used.
- Restrict use of network interfaces
- Consider restricting JobScheduler components to only listen to specific network interfaces.
- The JobScheduler Master can be configured by use of the
http_portandhttps_portattributes in the./config/scheduler.xmlconfiguration file. - Configure the JobScheduler Universal Agent to use the
SCHEDULER_HTTP_PORTandSCHEDULER_HTTPS_PORTenvironment variables in the JobScheduler Agent instance script.
- Drop the "classic" JOC GUI
- The "classic" JOC GUI ships without authentication and authorization. It is included with release 1.11 for users who stick to this interface. It is available from the above TCP port and HTTP port.
- To drop the "classic" JOC GUI remove the
SCHEDULER_HOME/operations_guifolder.
Database Connections
All database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for operation of JobScheduler components. JobScheduler components use Hibernate as their database access layer.
...
- Use the YADE Credential Store to manage credentials centrally in a store that is referenced by YADE configuration items, see the How to set-up the Credential Store and YADE Parameter Reference - CredentialStoreFragment articles.
- Should you use FTP connections then consider to switch to use of SFTP.
- SFTP connections can be used with private/public key files, there is no need to use passwords for such connections,.